Firewall Wizards mailing list archives
Re: Sardonix Security Auditing Portal
From: John McDermott <jjm () jkintl com>
Date: Thu, 07 Feb 2002 11:54:00 -0700
Crispin Cowan wrote:
We propose to address this under used potential by providing a real & effective web portal to facilitate & encourage source code auditing. This web site will facilitate and encourage source code auditing in the following ways: ...
Great idea.
The score keeping is really the most important part of the web site, with two key roles to play: * the karma whore effect: we conjecture that a web site that will mechanically compute a number of how l33t you are will attract people to audit code. Consider how hard people will work just score karma points on Slashdot :-) * assuring code quality: scoring the code in terms of the number & quality of eyes that have read it will give code consumers a reasonably valid way to determine the level of trust they can put in that code.
I would suggest adding points for providing the fix, or at least *a* fix, even if the fix is not adopted by the code's maintainer. This removes some of the work from the maintainer and encourages the auditor to not only discover problems, but to also discover the specifics of the problem and how it might be fixed. I can see, for example, an individual beating on a tool until it fails and making a report that with a particular input stream or whatever, the tool fails. Actually finding what is wrong is important so encouraging the finding of a fix might be something to reward. Another possibilty might be to award points for the creation of auditing tools. This is, in general, a hard problem (or else we'd all just test our code with the one true audit program and the site would not be necessary). Rewarding good tools might encourage some of the research necessary to get such tools created. Just my USD0.02 --john -- John McDermott, Writer and Consultant J-K International, Ltd. V +1 505/377-6293 F +1 505/377-6313 jjm () jkintl com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Sardonix Security Auditing Portal Crispin Cowan (Feb 05)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)
- Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 08)
- Re: Sardonix Security Auditing Portal Paul Robertson (Feb 08)
- Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 09)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)